Does anyone know why I can protect a .html file in my WAR but not a servlet? I have the following web.xml which correctly prevents access to all the *.html files in /home, but does not prevent access to the servlet: <servlet> <servlet-name>Test</servlet-name> <servlet-class>test.TestServlet</servlet-class> </servlet> <servlet-mapping> <servlet-name>Test</servlet-name> <url-pattern>/test</url-pattern> </servlet-mapping> <security-constraint> <web-resource-collection> <web-resource-name>My collection</web-resource-name> <url-pattern>/home/*</url-pattern> <url-pattern>/test</url-pattern> <http-method>*</http-method> <auth-constraint> <role-name>portalusers</role-name> </auth-constraint> </security-constraint> I have tried replacing /test with test, /test/*, test/*, test/ and other variations to no effect. It seems like Orion is not following the URL pattern rules specified in the Servlet 2.2 spec, though I could be wrong. This is similar to the other problem I was having... see the other message. Any ideas? Is anyone creating web applications or is it just me? Kit Cragin VP, Product Development Mongoose Technology, Inc.